Markdown link XSS
Check whether Markdown, MDX, or editor renderers safely normalize and sanitize link URLs, raw HTML, and image URLs.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Sanitize the final HTML after Markdown rendering
- Validate link URLs through a protocol allowlist
- Check whether raw HTML support is enabled
Payload
Payload to copy
Paste this into a Markdown-backed editor and inspect the rendered href.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- Markdown feels like safe text, but the rendered result is HTML. Weak URL policy can leave schemes such as
javascript:alive. - ProseMirror, Markdown, MDX, and rich-text renderers often have different storage and output formats. Validate the final rendered HTML, not just the saved input.
- Raw HTML, custom node renderers, and embed extensions are separate attack surfaces. Document allowed tags and URL policy per plugin.